Two New Browser Threats
Over the past year, security researchers found many new Web attacks indicating that the “bad guys” have come up with some rather advanced methods to accomplish their dirty deeds. In the past few months alone, two particular banking attacks have been detected that demonstrate the sophisticated methods being used to steal money from online banking users. In the first attack method, dubbed “Chat-in-the-Middle,” the fraudster creates a fake support chat session with his victim by claiming to be from the bank’s fraud department. The fraudster then uses social engineering techniques to attempt to gather further information from the unsuspecting victim. The second attack, a Trojan known as URLZone, involves editing a user’s banking website to hide money transfer transactions started by the attackers. This technique gives attackers ample time to transfer the funds through “money mules” and, eventually, into their own accounts, well before the attack is ever spotted by the victim.
The Chat-in-the-Middle attack method begins as a standard phishing attack. The victim is asked to log in to a phishing site, which looks similar to their banking site, using his credentials. After the credentials are entered, a chat window then opens. The notice on the chat window shows a message basically stating that the bank’s fraud department is now requiring validation of accounts, and that this task is accomplished by entering personal information into the chat window. This information is then harvested by the attacker to be used or sold for malicious purposes. This method is far more fruitful for attackers than previous phishing methods, as attackers can now collect personal information in real time.
The URLZone Trojan is a rather nasty attack method that can possibly go unnoticed by the victim until his bank account is completely drained. The Trojan is first obtained through a “drive-by-download,” meaning a malicious Web page or Web page code forwards an unsuspecting user to a website, which will automatically download the malicious package. The Trojan then waits for the user to log in to his banking website, at which point the user’s credentials are stolen. The attacker then proceeds to use the stolen credentials to transfer money to designated accounts. This point is when the Trojan gets really nasty. The next time the victim accesses his bank account from the infected PC, the Trojan will actually rewrite some of the Web page code to hide a transfer or disguise a large transfer as a much smaller transfer. The Trojan will also withdraw random amounts of money to avoid tripping any automatic detection mechanisms. Also, URLZone calculates the amount of money in the account to ensure that it does not overdraft the account, which could draw unwanted attention to the attacker.
Protection against these forms of attacks will require user training as well as ample perimeter defense and monitoring, which can detect connections to malicious or unusual destinations. In all phishing-based attacks, some form of user interaction is required, whether it be clicking a link in an email that has been disguised to look legitimate, or responding to questions asked through a malicious yet well disguised chat session. Therefore, users need to be made aware of phishing tactics and informed of the proper response plan. Any emails that users’ deem questionable should be brought to the administrators immediate attention so that the proper research and notification steps can be taken. URLZone and other malicious file downloads can be spotted by monitoring outbound connections through the firewall and looking for tell-tale signs of malicious content. For instance, Gladiator’s Raw Traffic Analysis (RTA) service sifts through all outbound connections made through the firewall and detects connections to known malicious domains, executable or other file downloads, and even URL strings which can indicate malicious content. Since the URLZone Trojan makes many connections back to servers in the Ukraine, these connections can be spotted with proper firewall log analysis.
Fortunately, thus far these two attack methods have not been used very often, and the URLZone Trojan has only been spotted in use in Germany. However, this fact does not take away from the harsh reality that the bad guys are coming up with more sophisticated and potentially devastating attack methods. Users and IT administrators alike must be kept abreast of current attack methods and trends, as falling behind could prove harmful to worker productivity and possibly have serious financial consequences.
Reference Links
- RSA information on Chat-in-the-Middle (http://www.rsa.com/blog/blog_entry.aspx?id=1520)
- Wired article on URLZone (http://www.wired.com/threatlevel/2009/09/rogue-bank-statements/)